我目前正在尝试使一个简单的 OpenVPN 设置工作,并且我几乎完成了,除了我似乎遇到的 DNS(或路由)问题。
客户端可以正常连接到服务器,我可以 ping 服务器 (10.8.0.1) 和互联网 IP (8.8.8.8)。当我尝试解析任何域名时,问题就出现了。以下是 VPN 连接启动时发生的情况:
[test@localhost etc]$ dig www.google.ca
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.google.ca
;; global options: +cmd
;; connection timed out; no servers could be reached
[test@localhost etc]$ dig @<client network DNS server> www.google.ca
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @<client network DNS server> www.google.ca
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[test@localhost etc]$ dig @8.8.8.8 www.google.ca
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @8.8.8.8 www.google.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.ca. IN A
;; ANSWER SECTION:
www.google.ca. 299 IN A 172.217.1.3
;; Query time: 32 msec
;; SERVER: 8.8.8.8
据我所知,我正在从我的服务器将 DNS 推送到我的客户端:
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.4.4"
push "dhcp-option DNS 8.8.8.8"
我还建立了到客户的路线:
client-config-dir ccd
route <client subnet IP> 255.255.255.0
在我的客户端文件中:
iroute <client subnet IP> 255.255.255.0
我的服务器上的 iptables 规则:
*nat
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s <client subnet IP>/24 -o tun0 -j MASQUERADE
COMMIT
*filter
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
COMMIT
我已在 sysctl 中启用了 ip 转发。不太确定从哪里开始查找,因此任何见解都将不胜感激。